Earlier this week, Karsten Nohl, a security researcher at SR Labs,
revealed his discovery of a massive hole in SIM card encryption that
could leave as many as 750 million of the 7 billion SIM-carded devices
in the world vulnerable to attack. Not just your average hacking
shenanigans – if your phone's SIM card is compromised, it's the phone
equivalent of identity theft. An intruder can do a lot of damage.

A SIM card – or Subscriber Identity Module – tells your wireless
carrier who you are and that you can be trusted. Hackers who exploit
your SIM could access your wireless carrier account, some texts and
contacts, and your network identification information. Using this info,
they could modify your carrier account, reroute your phone calls, clone
your phone number to another phone, steal your payment credentials
(including some NFC payment apps), change your voicemail, send out texts
as you, and obtain your exact location by pinging your carrier, among
other things. The list of vile acts possible with SIM access is high,
and breaking into your phone is almost as easy as sending a text
message.

AT&T, Sprint, T-Mobile, and Verizon users are safe

Luckily, you may not have to worry. Despite the many vague and scary reports
circulating, if you live in the United States, your SIM card (that
little card that usually sits under your phone's battery) is probably
not at risk of being hacked.

Representatives from all four major wireless carriers in the United
States – AT&T, Sprint, T-Mobile, and Verizon – have confirmed with
Digital Trends that they do not use the older, 56-bit DES (Data Encryption Standard)
SIMs that are vulnerable to Nohl's exploit. This aging standard from
1977 is still used in some areas around the world, and is far less
secure than newer 1998 standards like AES (Advanced Encryption Standard) and Triple DES.
This means that the vast majority of subscribers in the United States
are safe. Most smaller carriers like Virgin, Boost, Ting, and others
piggy back off of the major carrier networks, making them safe from this
exploit as well.

Sprint and Verizon, which didn't use SIM cards at all until they
began deploying high-speed 4G LTE networks, told us that "100 percent"
of their SIM cards use newer, safer encryption standards.

"Verizon SIM cards are not vulnerable to this potential attack
because of the way they are designed and manufactured," said a Verizon
representative. "We take the privacy and security of our customers very
seriously, and will continue to work with our SIM card vendors, industry
groups, and others to prevent and thwart any security concerns."

AT&T and T-Mobile did use the vulnerable DES standard in the
past, but have used Triple DES for many years. AT&T representatives
said that it has not used the hackable standard for "nearly a decade."
T-Mobile hasn't used it for "at least seven years." If you happen to own
a phone that's bordering on seven years old, go buy a new one.
Otherwise, you're safe.

Another reason not to worry

But what should you do if you aren't using one of the big U.S. carriers or a smaller provider that uses one of their networks? Should you be worried? Nohl says everyone should stay calm.

"For the moment, there is no reason to be concerned, as criminals
will likely take months to reimplement the research results," Nohl tells
Digital Trends. "If, by the time they do, networks have not implemented
network defenses or upgraded their SIMs remotely, it may be time to ask
for a new SIM." He adds, "Abuse is likely still months away," and that
SR Labs shared results "several months ago and have been in a very
constructive dialogue with the carries ever since."

Nohl's team spent three years and tested more than 1,000 SIM cards to discover the bug. Nohl will speak in more detail about the vulnerability at the BlackHat security conference on August 1, 2013.

What to do if you're still worried

If you don't live in the United States, or don't know the status of your carrier, your best bet is to call your mobile carrier and ask.

"Asking the service provider for more information is currently the
best option," said Roel Schouwenberg, senior security researcher at Kaspersky Lab. "Hopefully they will move quickly and provide more information on their websites shortly."

"This news should serve as a wake-up call to any service providers
that are still using outdated technology," adds Schouwenberg, "as well
as highlight the importance of pushing out new security developments
when possible."

Schouwenberg points out that there is no quick fix for this SIM card
exploit if you have it. Phones affected by the SIM card vulnerability
(like older flip phones) do not have access to any form of security
software that could help prevent attacks. But if you're in the United
States, you're likely safe. If you're not, you have a few months to
switch to a more up-to-date carrier.

INFORMATIONAL DISCLAIMER
The information contained on or provided through this site is intended for general consumer understanding and education only and is not intended to be and is not a substitute for professional financial or accounting advice. Always seek the advice of your accountant or other qualified personal finance advisor for answers to any related questions you may have. Use of this site and any information contained on or provided through this site is at your own risk and any information contained on or provided through this site is provided on an "as is" basis without any representations or warranties.